Crafting The Perfect Password - Comments Page 2
Posted by:
|
I use a translation table to save my passwords in plain text hints. eg. so if the real password is vectoraxraytoolxray Combine this with capitalization and a reference to the specific website (say always the first 2 characters of the website name in capitals) eg. for askbobrankin.com if the hint were Dae then and dae = ASTrainvector637 and so on mix and match at will and even if you mess up the capitals in the hint you have the base to work with works for me :) |
Posted by:
|
Bob @monte |
Posted by:
|
I'm computer savvy and realize that every little bit helps. I do appreciate your insightful articles, but tell me: what good are incredibly strong, secure passwords when hackers break into a company and steal them (for mischief or ransom)? That's happened to me at least five times this year: my bank, websites where I shop, sensitive data storage sites like credit card companies, little businesses, big businesses--ominous emails inform me that these businesses themselves have been hacked! I'm told I need to change my password, I may receive a year's worth of free account monitoring (in some cases) and the police have been notified. Really!? Isn't it a bit late for all that, when my unhackable password has still been hijacked by those responsible for keeping it secure? Yes, I could change my password every day---but I have literally dozens of typed pages of passwords. Let's discuss this larger problem, if you please. |
Posted by:
|
No one has mentioned typing a run on the keyboard; are hackers programs looking for those? IE- 2wsxcde3 |
Posted by:
|
You say: "You might be thinking "Okay, a botnet can send millions of passwords per second. But can the receiving server process (either accept or reject) more than 100 password attempts per second?" Here's the answer: it doesn't have to. These brute force password cracking tools are used when hackers break into a web server, thereby gaining access to the encrypted password database. Once inside, they can transfer that cache of usernames and passwords to another location and attack it at will." I don't really get your reasoning here. The bad guys have got hold of an encrypted password database. In that case, what difference does it make how secure my personal password is or isn't? |
Posted by:
|
You almost have it. You forgot those who can't choose their password(s). Also, while users are coming up to speed with developing a "good" password it may be hard for them to remember it. My suggestion for those two scenarios is to use the draft option in the email program normally used at least on a daily basis. This way the password is protected by a password used at least daily by them. This would be a way to store related info such as url, username, security responses etc. for that account. |
Posted by:
|
I use and recommend Keepass for storing my passwords which currently number in the hundreds. My password database is stored in the cloud (Dropbox) and syncs to all my computing platforms. On Android I recommend the Keepass2Android app. |
Posted by:
|
Any decent website will allow only a very limited trials (3-5), after which will not allow any more entries. So, how in the world a hacker can try to decipher the password?! Don't try to worry about complicated passwords. A hacker will have other means to get it, by fishing or other means. So, long or complicated passwords have no security advantages. Please elaborate on this in future. |
Posted by:
|
Check out Safe In Cloud. Simple and very effective across all platforms. |
Posted by:
|
Am I understanding correctly that using your recipe I can create one password for all of the sites I log on? |
Posted by:
|
Using Bob's formula and my own on-shelf book title (20+ characters), I got: Your password will be bruteforced with an average home computer in approximately 10,000+ centuries... and an added comment on the test web site: "Bender Rodriguez would steal everything valuable in the Universe in that time. Including your password." Cute. Some sites I use won't accept that large a PW, tho. A shorter 12+char PW: Your password will be bruteforced with an average home computer in approximately 43 centuries. Seems good to me. Do you agree? |
Posted by:
|
Reply to Steph: Using one PW on all sites is not recommended. You especially want to use different PWs on sites where you are more concerned about security, such as checking account, credit cards, home security or any sites where you would worry if someone got your PW by any means (watching you type it, etc.). You could use a little black book that you keep hidden away... or one of the PW managers mentioned above. I like Roboform, myself. |
Posted by:
|
I use my own encription method, aplying several rules. Of course, I shall not tell anybody what are my rules, but they work. I don´t like password managers, because they create ugly passwords tha must be written for no forget..... |
Posted by:
|
I use a similar approach to that outlined by Annette above. I use a strong base passphrase (LoveVanillaIceCream, say) and customize it slightly on a per-site basis (LoveVanillaIceCreamBank, say). This enables me to create strong and unique passwords - which avoids the risk of cross-site password attacks in the case of a credential database being compromised - without the need for a password manager. The problem with password managers - and especially online password managers - is that, sooner or later, somebody will work out how to exploit them. LastPass has already had a couple of scares. |
Posted by:
|
Strength and complexity aren't as important as people think. The chances of somebody attempting to brute-force their way into one of your accounts are somewhere between slim and none. It's not how things happen. Passwords mainly get compromised in one of three ways: 1. Credential database theft; A strong password provides absolutely zero protection against #1 or #2, but does, to some extent, provide protection against #3 – however, so would a simple, non-complex random password that can't be guessed/discovered. This isn't to say that people shouldn't use strong passwords - they obviously should. |
Posted by:
|
By the way, I somewhat disagree with your comment about not writing passwords down. It'd obviously be a bad idea to do it in a work environment, but at home - depending on who's coming and going - it may not be a bad way of managing your passwords. Especially if your list is securely tucked away. |
Posted by:
|
I am not even sure I should put this out for general consumption. I am a scientist. I tried several simple two scientific word passwords with a space between at the Kaspersky site. Simple does not mean the words are easy, just that they are in my frequent thinking. One of them (one term is outdated) would take the Tianhe-2 supercomputer 10,000 centuries to crack. Most two word technical terms I used with a space in between - and no special characters - would take the Tianhe-2 several months to a few years. |
Posted by:
|
Good grief, thanks so much for the wake-up call, Bob. Kaspersky says my password can be broken in 26 seconds! And that one was for my bank account! My new one says it will take a few hundred centuries. Using very few more characters and just as easy to remember. Am now using just 4 passwords for 4 different classes of online transactions (from junk sites to financial). Anything is far better than before! Being a stubborn ornery 80 year old fossil, I prefer to manage myself without relying on any password management software. Same with web-site writing software, I prefer a pencil, paper and html. Thanks again, Bob, many thanks. |
Posted by:
|
Forgot to mention, Bob, that I stored my new stronger passwords in a text file than took a "screen shot" of them and then deleted the text file. Do you think that an image.jpg is secure storage on my pc for my passwords? (I used to use hexadecimal and java but switched to images do similar to cloak email addresses from harvesting bots on my web-sites.) Thanks again for this article, Bob. |
Read the article that everyone's commenting on.
To post a comment on "Crafting The Perfect Password"
please return to that article.
Need More Help? Try the AskBobRankin Updates Newsletter. It's Free! |
Prev Article: Geekly Update - 25 May 2016 |
|
Next Article: [TIP] The Windows 10 Secret Microsoft Won't Tell You |
Link to this article from your site or blog. Just copy and paste from this box: |
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter About Us Privacy Policy RSS/XML |
(Read the article: Crafting The Perfect Password)